SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #19

March 08, 2016

For any reader considering becoming a "hunter," Ed Skoudis told 1,200
people attending his session at RSA 2016 last week about a tool that can
take data gathered from the network and logs and do automated anomaly
analysis of it based primarily on statistical analysis. It's called RITA
(Real Intelligence Threat Analysis) and is freely available from Black
Hills Information Security at:
http://www.blackhillsinfosec.com/#!rita/wrje5More details are available here:
http://www.blackhillsinfosec.com/#!RITA-Real-Intelligence-Threat-Analysis/c1592/5629695b0cf2f4d93f152218.It doesn't look for changed files, but instead it looks for beaconing
of implanted malware / command-and-control channels, unusual concurrent
sessions, and more. Some of the top hunt teams in the world use it
regularly in their quests to find infected machines and other malicious
incursions.
Alan

STORM CENTER TECH CORNER

Symantec Webcast: Symantec 2016: Unifying Your Security Strategy, March 17, 10am PT - If you want to protect your organization against advanced cyberattacks, you need to close the security gaps in your current threat strategy. Join Symantec in a real-world discussion about the future of security with end to end protection that seals the gaps. http://www.sans.org/info/183797

TOP OF THE NEWS

US Air Force Cyberweapons Systems Operational (March 7, 2016)

The US Air Force Space Command's Cyberspace Vulnerability Assessment/Hunter (CVA/H) weapon system is now fully operational. CVA/H protects the Air Force information network with vulnerability assessments, threat detection, and compliance evaluation. Earlier this year the Air Force Intranet Control (AFINC) Weapon became operational. That system provides boundary defense for external and inter-base traffic. The Air Force has several other cyberweapons in development. -http://www.zdnet.com/article/the-us-air-force-now-has-two-fully-operational-cyberspace-weapon-systems/

RSA: Seven Attack Trends (March 3, 2016)

At the RSA Conference in San Francisco last week, SANS researchers described seven cyberattack trends that are likely to come up again and again over the course of this year: Weaponization of Windows PowerShell; Stagefright-like mobile vulnerabilities; Developer environment vulnerabilities like Xcode Ghost; Industrial Control System (ICS) attacks; Targeting unsecure third-party software components; Internet of (Evil) Things; and Ransomware. -http://www.darkreading.com/risk/7-attack-trends-making-security-pros-sweat/d/d-id/1324563************************** SPONSORED LINKS ******************************** 1) Free eBook Download: Data Breach Detection - What You Need to Know. http://www.sans.org/info/183802

Seagate Phish Exposes Employee Tax Documents (March 6, 2017)

A Seagate Technology employee was successfully tricked into sending all company W-2 tax documents "to an unauthorized third party." The phishing attack compromised W-2 tax documents for all current and former employees of the company. W-2s include Social Security numbers (SSNs), pay data, and other information that could be used to file fraudulent tax returns. Federal authorities are investigating the incident. -http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/[Editor's Note (Williams): If you read the comments section, you'll see that Seagate isn't the only company impacted by this scam. Data loss prevention, if properly installed and configured, would have detected thousands of social security numbers being exfiltrated from the network. Organizations should take this as an opportunity to evaluate their own data loss prevention technologies to see how they would fare if one of their employees fell victim to the same attack. (Northcutt): About eleven years ago I noticed that the GIAC email letting students know their exam was available kept getting bounced. The bounces were all from the same large financial organization. Somehow their CISO had convinced management that not all of the employees needed unfettered access to Internet email. They developed an internal mail system for employee to employee communication and gave extra training to those that responded to public requests for information. At about the same time Will Pelgrin, CISO New York started training about test phishing New York State employees. Fast forward from 2005 to 2016 and many companies have programs to phish employees and they are all learning the same lesson, human error is going to happen some percent of the time. Jake Williams is right, Data Loss Prevention systems would go ape if they saw thousands, but less than ten thousand social security numbers flying by. But DLP can be tuned far better if the number of employees responding to the public is drastically reduced. And we have the ability to gateway critically important listserv email like Slashdot into the internal system: -http://www.wsj.com/articles/SB112424042313615131-http://slashdot.org/]

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/